GitHub reported a breach by TeamPCP through a compromised VSCode extension that exposed approximately 3,800 internal repositories. TeamPCP has conducted at least 20 waves of attacks in recent months, according to Socket data, inserting malware into over 500 distinct open source packages and their versions. Primary sources confirm the group previously targeted tools at OpenAI and Mercor via similar credential theft methods. The attacks follow a documented cycle where initial network access enables publication of tainted developer tools, creating further entry points as described in the GitHub statement. This matches patterns in prior incidents such as the 2024 XZ Utils compromise reported by Red Hat. Automation via the Mini Shai-Hulud worm, which generates repositories containing stolen encrypted credentials, has accelerated the process per Wiz threat intelligence cited in contemporaneous reports.